Challenging Corporate Thinking on Implementing IAM Solutions

Organizations around the world are facing more security threats to their business than ever before.

Organizations around the world are facing more security threats to their business than ever before. Breaches of confidentiality, crippling cyber attacks and data theft by their own employees are just some of the issues that companies now have to contend with and plan for. These security threats can also necessitate taking a more tangible approach to security where controlling physical access to premises is high on the agenda for many companies.

As soon as lurking security risks are exposed, they can exact a costly penalty in terms of reputational damage, eroding the confidence of investors and the market. This can be disruptive to a company's operations and can even have a knock-on impact on customer service.

"Successfully managing physical and logical access to high-value resources or sensitive data is one of the most effective ways for companies to protect themselves against the barrage of threats they now face.”

Tony Ball

HID Global

At the same time, companies are also wrestling with swathes of regulations like Sarbanes-Oxley, ISO9000 and Basel II that require them to take a more consistent and comprehensive approach to risk management, corporate governance and compliance in their day-to-day operations.

Successfully managing physical and logical access to high-value resources or sensitive data is one of the most effective ways for companies to protect themselves against the barrage of threats they now face. Driven by these corporate imperatives, identity and access management (IAM) is fast securing its position as a cornerstone of information security, with a growing number of organisations recognizing the potential benefits of an effective IAM program in terms of cost savings, better service levels, tighter IT governance and improved regulatory compliance.

A survey carried out by technology and market research firm Forrester found that over 75 per cent of enterprise IT security professionals in the UK, France and Germany feel that governance, risk and compliance are motivating them to consider IAM solutions for their organisation.

So if the majority of IT professionals recognize the need to implement IAM, why has this so far failed to translate into wide-scale adoption?

One of the foremost barriers to adoption cited by companies that have considered – but reluctantly decided against – IAM is the cost issue. The ravages of the recession have blown a sizeable hole in the IT budgets of many organisations, with other corporate issues sometimes prioritized over IT security. However, when a company slashes its IT budget, it can leave itself dangerously exposed to security and financial risks. Where the money saved by reducing budgets can soon be more than swallowed up by the costs of security breaches. While it is impossible to wholly quantify the financial impact of security incidents, the Ponemon Institute estimates that data breaches cost around �60 per compromised record. Furthermore and according to a survey by Datamonitor, smart card security solutions can actually result in a savings of more than $2 million for every 2,000 employees.

A further reason why IAM has not yet been broadly taken up by organisations is because it is still viewed in some quarters as a tactical rather than a strategic implementation. Too many companies still treat IAM as a series of ad hoc projects instead a process that is as dynamic as their company itself. But adopting a scattergun approach to IAM across an organisation can be counterproductive to say the least. Juggling multiple, mutually exclusive systems is doomed to failure. Not only is this an expensive and resource-intensive way to approach IAM, but the lack of integration or coordination between these systems generates substantial – and unnecessary – complexity. This often leads to a lack of buy-in from senior management and thus a lack of engagement amongst employees themselves.